This is an old revision of the document!
Configure A System To Authenticate Using Kerberos
General Information
Setting up a client to authenticate using kerberos.
Prerequisites
Some items are required before being able to practice this objective.
- Lab Setup: Ensure you have already setup your FreeIPA server. (ipa.example.com)
- Alternatively, you can setup a KDC server and client with local accounts.
- Creating a KDC server/FreeIPA server is not a RHCE Exam Objective, but you will need one to practice with.
- Lab Setup: An additional system to act as a client. (server1.example.com)
- If you are using the FreeIPA server, configure the client to connect to it via ldap.
Package Install
Install the required packages
yum install krb5-workstation pam_krb5
Configure the Kerberos Client
Option 1: Use authconfig to enable kerberos
authconfig --enablekrb5 --krb5kdc=ipa.example.com --krb5realm=EXAMPLE.COM --krb5adminserver=ipa.example.com --update
Option 2: Use authconfig-tui to enable kerberos
- Open authconfig-tui
authconfig-tui
- Authentication Configuration
- Under Authentication → select “Use Kerberos”, then Next
- LDAP Settings → Do not change anything, Next
- Kerberos Settings
- Realm: EXAMPLE.COM
- KDC: ipa.example.com
- Admin Server: ipa.example.com
- Ok
Test a kerberos ticket
- Login as a LDAP user
su - linda
- Get a kerberos ticket
kinit linda
- View ticket
klist
- SSH to another system
ssh ipa.example.com
Configure the Client OS Components
SSH
Uncomment the required GSSAPI lines
vim /etc/ssh/sshd_config GSSAPIAuthentication yes GSSAPICleanupCredentials yes
Reload the SSHD config
systemctl reload sshd
PAM
Configure PAM to enable krb5
authconfig --enablekrb5 --update
Test The Client
Change to the user
su - user1
Initialize kerberos
kinit
SSH to to the KDC server
ssh ipa.example.com
- Should not be prompted for a password due to initializing a kerberos ticket